Month: November 2015

Over thinking things can really be a weakness. This week I had to provision a Fortigate 100D firewall for a customer with the following specs:
– dual ISP links, one for data and another for cloud PABX.
– all internet traffic is to use ISP1 and voice traffic via ISP2 with capability of failing over to the other link in the event their designated ISP link goes down.
– trunk one of the ports, vlan 1 as untagged and tagged vlan 100 for voice

If you have followed me long enough, you would probably noticed that I am more of a Cisco person and Fortigates are not really my cup of tea. This customer used to have an 800 series cisco router with a single internet link. This would have been a piece of cake if we just sticked with a cisco 1921 or a 1941 which they have onsite but for some reason their MSP were having issues with it, hence it was replaced with a Cisco 881.

We asked their MSP to provide us with the current configs of the cisco router and this is what we got:

Looking at the config we can see that FastEthernet0 is trunking and connected to a switch. Unlike the Cisco 1900 routers wherein you’d have to do an encapsulation dot1q to tag vlans, the Cisco 800’s implicitly untags vlan1 and tags whatever vlan you create.

Me the Fortigate noob, had to do the same thing for the Fortigate. Untagged the default vlan and start tagging vlan100 for voice. I went to System > Network > Interface > click on lan > double click or click on the edit button

On the edit interface page, choose manual addressing mode and enter the IP address and subnet mask. This is basically equivalent to

int vlan1
ip add 10.10.10.1 255.255.255.0

then click OK
This will lead you back to the Interfaces menu, then click on the Create New button.

Enter the interface name, under interface I chose lan, entered vlan number (in my example, I placed it in VLAN101, choose manual addressing mode and enter your IP and network subnet mask. Best practice to write a short description on the comments box then hit OK.

Creating a policy to allow traffic:

Next we need to create a policy to allow lan traffic to pass through your wan interface and do NAT. To do this you need to go to Policy & Objects > Policy > IPv4 > Create New